Election Security and the Importance of Audit Trail

A recent EU report on the cybersecurity of elections has warned member states of potential threats for the upcoming European elections. The US midterms are just a week away and concerns about the integrity of the election process are mounting.

Even though very few countries vote online, practically every country and every state has at least some part of the election process digitized. From voter registration, through election campaign internal communication, through election officials communication, to voting machines and computer tallying of the results. And every step can potentially be compromised by a hostile actor (internal or external).

Transparency

The report outlines a comprehensive set of measures to be taken on every step (page 16), and we’d like to focus on what we do best – audit trail that is protected from tampering. Secure audit trail is one of the fundamental aspects of not only security, but also transparency – if you can prove to the voters and candidates that your data and your audit trail haven’t been tampered with, then trust in the election system is preserved. And no matter how secure an election system is, if public trust is shaken, you have a problem. Public trust is of course not gained by a few merkle proofs, but such technical measures can be a component of building trust at least for the technical community.

And such transparency can be made user-friendly – when registering to vote you get a QR code with the hash of your voter entry. Then you query a nice UI for that entry and it checks the provided merkle proofs. The verification UI can be open-source to allow technical people to inspect it, while non-technical people will rely on the “green” successful response. Similar approach can be used for journals, as hash entries can appear live on a website and then they can be used to verify the internal consistency of the journal.

Protecting logs, journals and voter data

Protecting logs and journals is listed as an important measure. Every activity in the digital realm has to be not simply recorded, but also properly protected. And “properly” does not just mean using access control or firewalls – it means protected even from internal actors or external actors that gain significant control over a system. Cryptographic protection, e.g. using hash chains or elements of blockchain, should be considered a necessary security standard. As we learned from the Mueller indictment, attackers do clear their tracks if allowed, and thus the attack remains undetected for long periods of time, potentially compromising elections.

Voter registration data, voter rolls and counted votes should be protected from tampering. This means that every modification and access should be securely logged and data should regularly be verified against the log for inconsistencies. If the audit trail has a record for John Smith but the database lacks one, it could mean someone deleted a bulk of voters. Access should also be secured and logged as voter data may be leaked and then used to influence or suppress voting.

The voting results themselves should be protected. It is true that having a paper trail guarantees that in case of recount any tampering will be corrected, but how do you know to trigger a recount in the first place – how do you know that data is tampered with if you aren’t using a cryptographic protection for your data. A bunch of aggregated polling station results, even if verified by several independent election officials, could be modified before being included in the final result.

Fraud detection

Fraud detection can be performed on top of the collected logs – once you have every action recorded, you can search for anomalies. Early detection is crucial for coping with cyberattacks, especially in time-critical scenarios, such as an election.

Fraud detection on logs should of course be combined with other intrusion detection and intrusion prevention systems, including network traffic monitoring. Multiple fraud detection systems with different data sources and different algorithms are essential. It’s no coincidence that the latest payment regulations emphasize on such multi-layered approach for banking and payment services.

Conclusion

No system is 100% secure, even a paper-only one. But with sufficient security measures and proper use of the available technology, election systems can guarantee that no tampering or leaks have occurred. That alone doesn’t guarantee free and fair election, of course, as technology is just one aspect, but we should try to not let technology be the piece that fails us in our complex democratic societies.